header image

Cyber Intelligence Briefing: 30 July 2021

Billy Gouveia, Kyle Schwaeble 30 July 2021
30 July 2021    Billy Gouveia, Kyle Schwaeble


In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.


  • Force majeure. Operations at major South African ports disrupted by cyber attack.
  • Botnet fallout. Estonian national pleads guilty to building and operating global botnet for cybercriminals.
  • Good news round-up. No More Ransom saves victims nearly EUR 1 billion, Kaseya obtains working decryptor and declares it didn’t pay threat actor for it, and Coveware reports a decline in average ransom demands.
  • Windows 11 scam. Fake Windows 11 installers are being used to deliver malware.
  • Healthcare data leaks. Several healthcare providers are in the spotlight after data breaches this week.
  • PetitPotam. Microsoft warns of new method to compromise devices.

Transnet declares force majeure in South Africa

Transnet, South Africa’s state-owned rail, port, and pipeline company, has declared force majeure following a cyber attack on 22 July. In a letter to customers, Transnet claimed relief from contractual liability after what it described as a “cyber attack, security intrusion, and sabotage” caused significant interference with its ability to operate.

Operations at major ports, including in Cape Town and Durban, were suspended following the incident. While the force majeure is still in place, most port operations have since been restored. An internal investigation into the cause and extent of the incident is ongoing.


 SO WHAT?  The incident is the latest in a series of recent cyber attacks against critical national infrastructure and highlights the physical impact cyber attacks can cause. After the violent riots earlier this month, and with an economy struggling to recover from the pandemic, South Africa cannot afford any prolonged disruption at its ports.

Estonian national pleads guilty to building and operating global botnet for cybercriminals

On 21 July, the US Department of Justice announced that Estonian national Pavel Tsurkan had pleaded guilty to computer fraud and abuse after building and operating a global botnet used for criminal activity. Tsurkan compromised more than 1,000 computer devices and internet routers for his botnet. He faces a maximum penalty of 10 years in prison.

Tsurkan modified routers to transmit third-party internet traffic without their owners’ knowledge and sold cybercriminals access to his botnet. Owners of compromised routers had to pay hundreds to thousands of dollars due to data overages caused by the increased traffic.


 SO WHAT?  Botnets continue to be a critical infrastructure for cybercrime. Devices, including home computers and routers, as well as internet of things devices, should be hardened and protected with anti-virus solutions, where possible.

Good news round-up

  • The No More Ransom project has reportedly saved ransomware victims almost EUR 1 billion in five years. The organisation manages a library of decryption tools for many ransomware strains and has assisted more than 6 million victims recover their files without paying the ransom demands.

  • Last week, Kaseya announced it had obtained a working decryptor that could assist victims of the widespread ransomware attack leveraging its VSA platform. Interestingly, Kaseya has denied that it paid or even negotiated with REvil, the threat group behind the attack, to obtain the decryptor.

  • Finally, Coveware, a firm that aggregates ransomware data, has reported that the average ransom demand has declined 38 percent from Q1 to Q2 2021. It also noted that the number of attacks by groups that traditionally demand large ransoms, such as Ryuk and Clop, has reduced over the same period.


 SO WHAT?  While good news is still good news, there is no indication of a significant shift in the threat landscape with ransomware continuing to pose a threat to organisations worldwide.

Fake Windows 11 installers are being used to distribute malware

Threat actors are disguising malware as Windows 11 installers. Windows 11 is not yet available to the public, however, customers in the Windows Insider Program are able to install the upgrade.

Many users have been found to be downloading installers from unofficial sources. These fake Windows 11 installers may place malware on a victim’s device, including adware, trojans and password stealers.


 SO WHAT?  Scams leveraging the forthcoming Windows 11 will likely continue, if not increase, as we near the official launch. Users should be vigilant and only interact with Windows 11 downloads from official sources.

Round-up: Data breaches in the healthcare sector

  • Northern Ireland’s COVID-19 vaccine certification service was suspended after bugs in the system exposed some individuals’ data to other users. Both the web and mobile app versions of the service were temporarily taken down to limit any further exposure.
  • The University of San Diego Health suffered a data breach after some employee email accounts were compromised. The threat actor, who had access for over four months, likely acquired personal, health, and financial information for patients, students, and employees.
  • A patient is suing Mercy University Hospital in Cork, Ireland after their data was leaked on the dark web following a ransomware attack against the Irish public healthcare service in May 2021.


 SO WHAT?  The healthcare sector is a particularly attractive target for threat actors because of the value of the data they typically hold. Organisations should be familiar with their legal and regulatory obligations to protect their customers and other stakeholders’ data and ensure they have an appropriate response plan in place should that data be compromised.

PetitPotam: Microsoft warns of new method to compromise devices

A new method to conduct an NTLM relay attack, dubbed PetitPotam, uses legitimate services to force Windows systems to reveal password hashes. These can be used to compromise accounts and other devices on the network. The latest NTLM exploit follows a long history of its abuse in relay attacks.


 SO WHAT?  Microsoft has released suggested mitigations for the attack but ultimately urges users to disable NTLM, if possible. Be aware that disabling NTLM can cause significant disruptions and should only be considered following a thorough analysis of the implications.


Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Kyle Schwaeble
Kyle schwaeble Analyst Email Kyle

Intelligent Business 2022 Strategic Intelligence Report

The evolution of strategic intelligence in the corporate world. Read S-RM's latest report.

Download Report